CVE-2026-41413

Istio is an open platform to connect, manage, and secure microservices. Prior to versions 1.28.6 and 1.29.2, when a RequestAuthentication resource is created with a jwksUri pointing to an internal service, istiod makes an unauthenticated HTTP GET request to that URL without filtering out localhos...

CVE-2026-41203 ci4ms Theme::upload is vulnerable to Zip Slip leading to RCE

CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.31.5.0, ci4ms Theme::upload extracts user uploaded ZIP archives without validating entry names, allowing an authenticated backend user...

CVE-2026-41660 Admidio: Inverted 2FA Reset Authorization Check Lets Group Leaders Strip Admin TOTP

Admidio is an open-source user management solution. Prior to version 5.0.9, a logic error in Admidio's two-factor authentication reset inverts the authorization check. Non-admin users cannot remove their own TOTP configuration, but they can remove other users' TOTP, including administrators. A...

CVE-2026-41656 Admidio: Path Traversal via Unvalidated `name` Parameter in Document Add Mode Enables Arbitrary Server File Read

Admidio is an open-source user management solution. Prior to version 5.0.9, the add mode in modules/documents-files.php accepts a name parameter validated only as 'string' type HTML encoding, allowing path traversal characters ../ to pass through unfiltered. Combined with the absence of CSRF...

Unity Linux 20.1050e / 20.1060e / 20.1070e Security Update: vim (UTSA-2026-016512)

The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-016512 advisory. Vim is an open source command line text editor. double-free in dialogchanged in Vim v9.1.0648. When abandoning a buffer, Vim may ask the user what to do with the...

PT-2026-38207

Name of the Vulnerable Software and Affected Versions Google Chrome versions prior to 148.0.7778.96 Description An inappropriate implementation in Preload allows a remote attacker to leak cross-origin data through the use of a crafted HTML page. Recommendations Update to version 148.0.7778.96 or...

EUVD-2026-27113

n8n is an open source workflow automation platform. Prior to versions 1.123.32, 2.17.4, and 2.18.1, the fix for GHSA-f3f2-mcxc-pwjx did not cover the Snowflake node or the legacy MySQL v1 node. Both nodes construct SQL queries by directly interpolating user-controlled table names, column names, a...

GHSA-QM77-8QJP-4VCM OpenClaw: Slack thread context could include messages from non-allowlisted senders

Summary Before OpenClaw 2026.4.2, Slack thread starter and thread-history context fetched through the API was not filtered by the effective sender allowlist. Messages from non-allowlisted senders could still enter the agent context when an allowlisted user replied in the same thread. Impact A Sla...

Astra Linux - уязвимость в ruby2.5

REXML is an XML toolkit for Ruby. The REXML gem prior to version 3.3.9 has a ReDoS vulnerability when it parses an XML document containing many digits between “&” and “x…” in a hexadecimal character reference &x…. This issue does not occur in Ruby 3.2 or later versions. Ruby 3.1 is the only...

PT-2026-36852

Name of the Vulnerable Software and Affected Versions vm2 versions prior to 3.10.5 Description A critical sandbox escape exists in the vm2 library, which is used to run untrusted JavaScript code in Node.js applications. This issue allows an attacker to break out of the restricted environment and...

CVE-2026-40601 Chartbrew: Missing Authorization in /api/chart/:chart_id/query via team-level refresh toggle

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chartid/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the...

GHSA-C28G-VH7M-FM7V OpenClaw: Owner-enforced commands could accept wildcard channel senders as command owners

Impact OpenClaw deployments before 2026.4.21 could treat a non-owner sender as authorized for owner-enforced slash commands when all of the following were true: - a channel plugin declared commands.enforceOwnerForCommands: true; - the channel accepted wildcard inbound senders with allowFrom: ""; ...

TencentOS Server 3: libpng15 (TSSA-2026:0254)

The version of Tencent Linux installed on the remote TencentOS Server 3 host is prior to tested version. It is, therefore, affected by a vulnerability as referenced in the TSSA-2026:0254 advisory. Package updates are available for TencentOS Server 3 that fix the following vulnerabilities:...

CVE-2026-41649 Outline has IDOR in document share creation that allows unauthorized access to private documents across workspaces

Outline is a service that allows for collaborative documentation. The shares.create API endpoint starting in version 0.86.0 and prior to version 1.7.0 has an insecure direct object reference.. When both collectionId and documentId are provided in the request, the authorization logic only checks...

OpenClaw: Paired-device pairing actions were not limited to the caller device

Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact A paired device session with limited pairing scope could enumerate global pairing state and act on pairing requests that belonged to another device within the same gateway scope...

OpenClaw: Isolated cron awareness events were recorded as trusted system events

Affected Packages / Versions - Package: openclaw npm - Affected versions: 2026.4.20 - Patched version: 2026.4.20 Impact Output from webhook-triggered isolated cron agent runs could be queued into the main session awareness stream without trusted: false. That made the event render as a trusted...

CVE-2026-42042 Axios: XSRF Token Cross-Origin Leakage via Prototype Pollution Gadget in `withXSRFToken` Boolean Coercion

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, the Axios library's XSRF token protection logic uses JavaScript truthy/falsy semantics instead of strict boolean comparison for the withXSRFToken config property. When this property is set to any truthy...

CVE-2026-32952

go-ntlmssp is a Go package that provides NTLM/Negotiate authentication over HTTP. Prior to version 0.1.1, a malicious NTLM challenge message can causes an slice out of bounds panic, which can crash any Go process using ntlmssp.Negotiator as an HTTP transport. Version 0.1.1 patches the issue...

CVE-2026-32870

Kirby is an open-source content management system. Kirby's Xml::value method has special handling for blocks. If the input value is already valid CDATA, it is not escaped a second time but allowed to pass through. However, prior to versions 4.9.0 and 5.4.0, it was possible to trick this check int...

PT-2026-36183

Name of the Vulnerable Software and Affected Versions Traefik versions prior to 2.11.43 Traefik versions prior to 3.6.14 Traefik versions prior to 3.7.0-rc.2 Description An issue exists in the Kubernetes CRD provider cross-namespace isolation enforcement. When...